Unable to renew certificate

Help
1

My domain is: www.orateldiagnostics.com

I tried certbot renew --dry-run and kept getting 403 error. I have turned off https redirection, updated permissions, etc. I was able to use

certbot -d www.orateldiagnostics.com --manual --preferred-challenges dns certonly

to validate but still not able to get a valid cert for my site.
Any help would be greatly appreciated.

My web server is Apache/2.4.18 (Ubuntu):
certbot --version
certbot 0.31.0

2

Hi @CaffeinatedHerring

you have created a correct dns-txt entry ( https://check-your-website.server-daten.de/?q=orateldiagnostics.com ):

TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
orateldiagnostics.com ok 1 0
www.orateldiagnostics.com 1 0
_acme-challenge.orateldiagnostics.com Name Error - The domain name does not exist 1 0
_acme-challenge.www.orateldiagnostics.com wagD9IhRxjInXULpldy7Vqd8L6_UtSeOHhjO4Mml0VQ looks good 1 0

And you have two new certificates ( crt.sh | www.orateldiagnostics.com ):

But your server sends http over port 443, so your ssl configuration doesn't work.

Domainname Http-Status redirect Sec. G
http://orateldiagnostics.com/
104.197.13.170 301 https://www.orateldiagnostics.com/ 0.680 E
http://www.orateldiagnostics.com/
104.197.13.170 301 https://www.orateldiagnostics.com/ 0.257 A
https://orateldiagnostics.com/
104.197.13.170 -4 0.464 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
https://www.orateldiagnostics.com/
104.197.13.170 -4 0.467 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
http://orateldiagnostics.com:443/
104.197.13.170 200 0.240 Q

Grade Q - that's

The handshake failed due to an unexpected packet format.

the typical error message.

So certificate creation works.

What says

certbot certificates
3

I turned off redirect over 443

Also, I created a test file at
http://www.orateldiagnostics.com/.well-known/acme-challenge/test.txt

which can be seen at http

sudo certbot certificates gives…

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Revocation status for /etc/letsencrypt/live/orateldiagnostics.com/cert.pem is unknown

Found the following certs:
Certificate Name: orateldiagnostics.com
Domains: orateldiagnostics.com www.orateldiagnostics.com
Expiry Date: 2019-04-16 23:31:18+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/orateldiagnostics.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/orateldiagnostics.com/privkey.pem

sudo certbot renew --dry-run gives …

                                                                                • Processing /etc/letsencrypt/renewal/orateldiagnostics.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing… Plugins selected: Authenticator apache, Installer apache Renewing an existing certificate Performing the following challenges: http-01 challenge for orateldiagnostics.com http-01 challenge for www.orateldiagnostics.com Waiting for verification… Cleaning up challenges Attempting to renew cert (orateldiagnostics.com) from /etc/letsencrypt/renewal/orateldiagnostics.com.conf produced an unexpected error: Failed authorization procedure. orateldiagnostics.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://orateldiagnostics.com/.well-known/acme-challenge/wsPwbM2MCjiP5WzcoxUavn9hALeHRF1avsZvMRTf5DY [104.197.13.170]: “<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p”, www.orateldiagnostics.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.orateldiagnostics.com/.well-known/acme-challenge/Weqho0r41MIQe4ABydEaNb0XrjEGK4CU-0zgsqwelTU [104.197.13.170]: “<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p”. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/orateldiagnostics.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating ‘certbot renew’ close to cert expiry ** (The test certificates below have not been saved.) All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/orateldiagnostics.com/fullchain.pem (failure) ** DRY RUN: simulating ‘certbot renew’ close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 renew failure(s), 0 parse failure(s)
                                                                                  IMPORTANT NOTES: - The following errors were reported by the server: Domain: www.orateldiagnostics.com Type: unauthorized Detail: Invalid response from http://www.orateldiagnostics.com/.well-known/acme-challenge/MAm3L5TuEh00v_CzU-c6dzg_CIhZYurL_-sVykTE0tw [104.197.13.170]: “<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p” Domain: orateldiagnostics.com Type: unauthorized Detail: Invalid response from http://orateldiagnostics.com/.well-known/acme-challenge/L3gYqXhZY8hYxFfFiY_W3iYzAqFVrrh1VnoAQ23l4Cg [104.197.13.170]: “<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p” To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.

Thanks Again

4

Sorry the previous post did not look like it was able to display the output. Here is the output from sudo certbot renew --dry-run …

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/orateldiagnostics.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for orateldiagnostics.com
http-01 challenge for www.orateldiagnostics.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (orateldiagnostics.com) from /etc/letsencrypt/renewal/orateldiagnostics.com.conf produced an unexpected error: Failed authorization procedure. orateldiagnostics.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://orateldiagnostics.com/.well-known/acme-challenge/Q28Y0OrmFme9aPtKs7XUzjuQHNKPR1T_EApl32M2epE [104.197.13.170]: “\n\n403 Forbidden\n\n

Forbidden

\n<p”, www.orateldiagnostics.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.orateldiagnostics.com/.well-known/acme-challenge/Wx3vDn_bdLimMXNAB6WGw3eCMZycRNeoEgtWhKSGPI4 [104.197.13.170]: “\n\n403 Forbidden\n\n

Forbidden

\n<p”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/orateldiagnostics.com/fullchain.pem (failure)

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/orateldiagnostics.com.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for orateldiagnostics.com
http-01 challenge for www.orateldiagnostics.com
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (orateldiagnostics.com) from /etc/letsencrypt/renewal/orateldiagnostics.com.conf produced an unexpected error: Failed authorization procedure. orateldiagnostics.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://orateldiagnostics.com/.well-known/acme-challenge/Q28Y0OrmFme9aPtKs7XUzjuQHNKPR1T_EApl32M2epE [104.197.13.170]: “\n\n403 Forbidden\n\n

Forbidden

\n<p”, www.orateldiagnostics.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.orateldiagnostics.com/.well-known/acme-challenge/Wx3vDn_bdLimMXNAB6WGw3eCMZycRNeoEgtWhKSGPI4 [104.197.13.170]: “\n\n403 Forbidden\n\n

Forbidden

\n<p”. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/orateldiagnostics.com/fullchain.pem (failure)
5

Your test file works!

So you have found your correct webroot. Then use this webroot.

certbot run -a webroot -i apache -w yourWebRoot -d www.orateldiagnostics.com -d orateldiagnostics.com
6

It looks like that worked… thank you so much.

7

Yep, now you have a new certificate:

CN=www.orateldiagnostics.com
	24.04.2019
	23.07.2019
expires in 89 days	
orateldiagnostics.com, www.orateldiagnostics.com - 2 entries

And Grade B is very good.

But your page doesn't work. There is php code visible:

<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define('WP_USE_THEMES', true);

/** Loads the WordPress Environment and Template */
require( dirname( __FILE__ ) . '/wp-blog-header.php' );

That's always bad. A server should never send code.

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.